AAI for mandatory authentication and proxy usage to allow internet access on public workstations of ETH-Bibliothek

Size: px

Start display at page:

Download "AAI for mandatory authentication and proxy usage to allow internet access on public workstations of ETH-Bibliothek"

Benedict Bates
10 years ago
Views:

1 AAI for mandatory authentication and proxy usage to allow internet access on public workstations of ETH-Bibliothek Wolfgang Lierz, ETH-Bibliothek, IT Services Cristian Tuduce, ETH Zürich, ID-Basisdienste 1

ETH-Bibliothek Wolfgang Lierz, ETH-Bibliothek, IT

2 Outline The ETH proxy infrastructure Cristian The ETH-Bibliothek solution Wolfgang 2

3 The web-proxy From appliance to Squid: Appliance end-of-life Many appliances use variations of Squid Authenticating: Users connecting from outside ETH Selected IP ranges from inside ETH 3

4 Squid authentication problems RADIUS with basic authentication Clear-text channel between client and proxy Skinny authentication-helper interface Sniffing trivial Password guessing attacks Solution: Squid with Shibboleth authentication! 4

Skinny authentication-helper interface Sniffing trivial

5 Why Shibboleth No passwords floating around insecure Password guessing cumbersome [put favorite reason here] Interesting problem! 5

6 The challenge: different worlds Cookie-based Data pipe No web server to receive cookies 6

7 The proxy principle 7

8 Before authentication # 307: go authenticate (then #)! 8

9 The authentication process 307: now go to URL #! 9

10 After authentication OK 10

11 The building block Squid w/ Shibboleth authentication 11

12 AAI-enabling public workstations of ETH-Bibliothek: requirements authentication itself is the service! AAI for customers outside SWITCHaai scope (time-limited) internet access via AAI-enabled proxy modifications on proxy.ethz.ch 12

AAI for customers outside SWITCHaai scope (time-limited)

13 Authentication itself as service 13

14 AAI for Swiss university members 14

15 AAI for other library customers 15

16 Modifications on SWITCH embedded WAYF wayf_force_remember_for_session = true; wayf_show_remember_checkbox = true; wayf_hide_categories = new Array("library","vho","upcoming"); wayf_hide_categories = new Array("all"); wayf_unhide_idps = new Array(" wayf_return_url = " 16

Array("library","vho","upcoming"); wayf_hide_categories = new Array("all"); wayf_unhide_idps =

17 AAI-enabled service: login+redirect $hosts = $d->login_user(); if($hosts) { header('location: } else { if($d->get_remaining_time()) header('location: else header('location: 17

$duplicate'); } else { if($d->get_remaining_time()) header('location: http://www.library.ethz.$

18 SWITCH VHO admin tool 18

19 PINlogin database viewer 19

20 // function FindProxyForURL(url, host) { if (shexpmatch(url, "http*://publikum.library.ethz.ch/*") shexpmatch(url, " shexpmatch(url, " {return "DIRECT";} if (shexpmatch(url, " shexpmatch(url, " shexpmatch(url, " shexpmatch(url, " shexpmatch(url, " shexpmatch(url, " {return "DIRECT";} if (shexpmatch(url, "http*://proxy.ethz.ch/*")) {return "DIRECT";} return "PROXY proxy.ethz.ch:3128"; } 20

*.ch/*") shexpmatch(url, "https://aai-idp.*.ch/*") shexpmatch(url, "https://aai.*.ch/*") shexpmatch(url, "https://idp.*.ch/*") shexpmatch(url, "https://login2.*.ch/*")) {return "DIRECT";} if (shexpmatch(url, "http*://proxy.

21 Modifications on proxy.ethz.ch forcing proxy usage in public workstation subnets of ETH-Bibliothek allowing proxy usage from whole SWITCHaai community 21

22 Forcing proxy usage in library's public workstation subnets: acl library-public-hg src /25 acl library-public-rz src /28 acl library-public-hix src /28 acl library-public-hpx src /28 acl library-public-nw src /28 acl library-public-cx src /27 url_rewrite_access allow library-public-hg url_rewrite_access allow library-public-rz url_rewrite_access allow library-public-hix url_rewrite_access allow library-public-hpx url_rewrite_access allow library-public-nw url_rewrite_access allow library-public-cx 22

23 Allowing proxy usage from whole SWITCHaai community sub decide_proxy_access() { my $ACCEPT_PROXY_ACCESS = 0; if ($ENV{'REMOTE_ADDR'} eq " ") { $ACCEPT_PROXY_ACCESS = 3; return $ACCEPT_PROXY_ACCESS; } my $ip_match = match_ip($env{'remote_addr'}, " /25", " /28", " /28", " /28", " /28", " /27", " "); if ($ENV{'HTTP_SHIB_SWISSEP_HOMEORGANIZATION'} eq "ethz.ch") { $ACCEPT_PROXY_ACCESS = 1; return $ACCEPT_PROXY_ACCESS; } else { if ($ip_match) { if ($ENV{'HTTP_SHIB_SWISSEP_HOMEORGANIZATIONTYPE'} =~ /^(university uas hospital others vho)$/) { $ACCEPT_PROXY_ACCESS = 1; return $ACCEPT_PROXY_ACCESS; 23

24 Hiding AAI dialogues of proxy only implicit because authentication is already done before no severe complaints from users getting confused when trying to overcome limitation 24

25 Conclusion Robust solution running since Only few modifications of central proxy server needed Only very small modification of WAYF needed Can be easily extended/migrated as soon other AAI Identity Providers for private library customers are available 25

26 Questions? Live demo? 26

Logout Support on SP and Application

Logout Support on SP and application Logout Support on SP and Application Possibilities and and Limitations SWITCHaai Team [email protected] Single Logout: Is it possible? Single Logout will work only in some